Enabling support for SSL mutual authentication in the Fuse Web console

Issue

The Fuse security guide describes how to enable HTTPS for the Hawtio-based Web console in Fuse, by providing a server certificate and installing it in the Pax-Web configuration. However, it does not address the need for mutual authentication, that is, situations in which a client must also present an SSL certificate and have it verified by the server.

This article describes a simple approach to implementing this mutual authentication, using a self-signed client certificate in the browser. In practice, client certificates are likely to be signed by some mutually-recognized certificate authority (CA); the steps are similar, except that it will generally be necessary to install the CA certificate chain into the Fuse server's keystore, rather than the client certificate itself.

Please note that these instructions are for Fuse in non-fabric mode. There are currently some complexities involved in the use of HTTPS with the Hawtio console in fabric mode: see this article for more details.

Whilst it is possible to enable SSL mutual authentication, bear in mind that this verification step is in addition to the usual user/password authentication demanded by the Hawtio console. There is at present no supported method for using client certificates as a replacement for user/password authentication -- this is under consideration for a later product release.